How to configure Site-to-Site VPN tunnel

Learn how to configure Site-to-Site VPN tunnel on your Cisco routers. A detailed example is provided along with a diagram that is easy to understand.

 

configure site-to-site vpn tunnel

In this example we will configure a site-to-site VPN tunnel to provide network connectivity between the two LAN’s 192.168.1.0/24 and 192.168.3.0/24. Site-to-Site VPN tunnels aren’t used often anymore in favor of GRE over IPSEC tunnels or DMVPN tunnels, however this guide exists for those who want to or have to do it this way.

To configure a Site-to-Site VPN tunnel in this scenario:

Site A:

crypto isakmp policy 50
hash md5
authentication pre-share
crypto isakmp key vpnuser address 172.16.1.2
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 5 periodic
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
mode tunnel
!
crypto map mymap 10 ipsec-isakmp
set peer 172.16.1.2
set transform-set myset
match address 100
!
interface Ethernet0/0
ip address 172.16.1.6 255.255.255.252
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 172.16.1.5
!
access-list 100 permit ip 192.168.1.0 0.0.0.255 192.168.3.0 0.0.0.255

 

Site B:

crypto isakmp policy 50
hash md5
authentication pre-share
crypto isakmp key vpnuser address 172.16.1.6
crypto isakmp invalid-spi-recovery
crypto isakmp keepalive 60 5 periodic
!
crypto ipsec security-association replay disable
!
crypto ipsec transform-set myset esp-des esp-md5-hmac
mode tunnel
!
crypto map mymap 10 ipsec-isakmp
set peer 172.16.1.6
set transform-set myset
match address 100
!
interface Ethernet0/0
ip address 172.16.1.2 255.255.255.252
crypto map mymap
!
ip route 0.0.0.0 0.0.0.0 172.16.1.1
!
access-list 100 permit ip 192.168.3.0 0.0.0.255 192.168.1.0 0.0.0.255

 

To verify, attempt to ping between 192.168.1.0/24 and 192.168.3.0/24. Once traffic hits the router, it will initiate the process for setting up the IPSEC tunnel. You can use the following show commands to display the tunnel and for troubleshooting:

show crypto isakmp sa

  • For IKE Phase 1
  • Check for QM_IDLE status

show crypto ipsec sa

  • For IKE Phase 2
  • Check that the packet encryption and decryption counters are incrementing

 

For any questions or further explanation, please feel free to leave a comment below or ask me in the forum.

Leave a Reply

Your email address will not be published. Required fields are marked *